{"id":"CVE-2019-8341","details":"An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing","modified":"2026-03-20T11:30:35.424200Z","published":"2019-02-15T07:29:00.257Z","related":["SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-SU-2019:1156-1","SUSE-SU-2019:1554-1","SUSE-SU-2020:3096-1","SUSE-SU-2020:3897-1","openSUSE-SU-2019:1395-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1677653"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1125815"},{"type":"PACKAGE","url":"https://github.com/JameelNabbo/Jinja2-Code-execution"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46386/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pallets/jinja","events":[{"introduced":"0"},{"last_affected":"7c3b7ca95cb17589dd64fddc957035336180b90d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.10"}]}}],"versions":["2.0","2.0rc1","2.1","2.1.1","2.10","2.10.1","2.10.2","2.10.3","2.10.x","2.2","2.2.1","2.3","2.3.1","2.4","2.4.1","2.5","2.5.1","2.5.3","2.5.4","2.5.5","2.6","2.7","2.7.1","2.7.2","2.7.3","2.8","2.8.1","2.9","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","2.9.x"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-8341.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"42.3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}